NoHackNoCTF 2026 writeup — five challenges solved covering AES-CTR nonce reuse, ECDSA nonce-prefix HNP via Python Unicode length expansion, whois-to-Redis SSRF into Jinja2 SSTI, Firefox places.sqlite forensics into ext4 unallocated-block carving, and boarding-gate photo OSINT to a single Jetstar Japan flight number

NoHackNoCTF 2026 Writeup: 5 Challenges Solved

NoHackNoCTF 2026 (NHNC) shipped a small but well-engineered set of challenges where every one of the five bugs pivots on a language-level or protocol-level detail that looks benign until it isn’t: AES-CTR reused with a constant nonce collapses into a one-time pad with a reused pad; an ECDSA nonce whose top 384 bits are SHA384(salt || account) becomes the Hidden Number Problem the moment two “distinct” users can be forced to sign under the same account, arranged by exploiting Python’s str.lower() returning a longer string on Turkish İ; /usr/bin/whois is a full TCP client whose -h HOST -p PORT flags turn a domain-lookup box into a Redis SSRF that writes an RDB snapshot into Flask’s template directory for Jinja2 SSTI; Firefox places.sqlite is a narrative artefact that leads through a Proton Drive share to an ext4 image whose unallocated blocks still hold a torn note’s untorn twin and a WZ-AES ZIP; and a single boarding-gate photograph carries enough EXIF, a legible aircraft registration, and enough background scenery to pin down one specific Jetstar Japan flight from Kansai to Taipei on May 5, 2026. ...

July 11, 2026 · 28 min · 5921 words · CyberSecurity Elite Team
LYKNCTF 2026 web writeup — ten web challenges solved covering padding oracle, JWT alg:none, SSRF+SSTI, PHP short-tag RCE, and Flask debug source disclosure

LYKNCTF 2026 Web Writeup: 10 Challenges Solved

LYKNCTF 2026’s web track shipped ten challenges that collectively covered almost every category of modern web vulnerability: an HTTP-protocol trick that abuses the RFC-9110 allowance for bodies on 3xx redirects, a WebSocket race condition that only trips on pipelined frames, an nginx case-sensitivity location bypass into an autoindexed directory, a full AES-CBC padding oracle (CBC-R) against a signed session token with three distinguishable error classes, a four-digit OTP brute-force feeding a SQL-injection-to-RCE that reads a split flag via a SUID csvtool binary, a client-side leak of window.API_KEY combined with an OpenAPI-schema-discovered admin endpoint, a Flask ?debug=1 source-disclosure hook that leaks app.secret_key for a session forge, a textbook alg:none JWT bypass, a PHP short-tag .php5 extension bypass through a Tesseract OCR pipeline, and a five-stage SSRF-into-internal-source-map-into-HMAC-invite-forge-into-Jinja2-SSTI chain. ...

July 9, 2026 · 32 min · 6622 words · CyberSecurity Elite Team
HASBLCTF 2026 web writeup — all 5 challenges (T/I Forum, Anatolian Atlas, Arena.exe, Lineup Challenge, DTeam)

HASBLCTF 2026 Web Exploitation: All 5 Challenges Solved

Platform HASBL CTF 2026 Difficulty Mixed (Easy → Hard) OS Jeopardy — Web (HTTP, nginx, Express, Next.js, Flask) Tags client-side auth bypass via robots.txt + cookie injection, non-iterative path-traversal filter bypass, client-trusted economy / coin spoofing, Next.js sourcemap + header reconnaissance with hint-prune brute force, Jinja2 SSTI in PDF receipts with capped-field escape via Flask SECRET_KEY leak and itsdangerous session forgery HASBL CTF 2026 is a multi-category jeopardy event with Reverse Engineering, Pwn, Web, and Forensics tracks. This writeup is dedicated to the Web Exploitation track — the five web challenges (T/I Forum, Anatolian Atlas, Arena.exe, Lineup Challenge, DTeam) were all solved, and each one teaches a different web-attack primitive: client-side authentication theatre defeated by reading the JavaScript, non-iterative .. traversal filters, client-trusted in-game economies, hint-collection across HTTP headers / sourcemaps / robots.txt, and a two-stage Flask SSTI chain through a PDF-receipt template. ...

June 1, 2026 · 19 min · 4000 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap